Design and evaluation of a fast and robust worm detection algorithm

ABSTRACT

A method and computer product are presented for identifying Internet worm propagation based upon changes in packet arrival rates at a network connection. First, unsolicited (i.e., packets that were not requested by the receiver) traffic is separated from solicited traffic at the network connection. The unsolicited traffic arrival patterns are monitored and analyzed for any changes. Once changes in the unsolicited traffic arrival patterns are detected, the changes are mathematically analyzed to detect growth trends. The presence of growth trends that follow certain key characteristics indicate whether the changes are due to worm propagation.

FIELD OF THE INVENTION

The invention pertains to identification of Internet worm propagation.

BACKGROUND OF THE INVENTION

Malicious computer worms (or Internet worms) are a danger to anycomputer that is accessible via a computer network, such as theInternet. A computer worm is a self-replicating program, similar to acomputer virus. However, unlike a virus, which attaches itself to andinfects an executable file on a computer, a worm is self-contained anddoes not need to be part of another program to propagate itself.

Worms are often designed to exploit the file transmission capabilitiesof many computers. A worm uses a network to send copies of itself toother systems and it does so without any necessary human intervention,such as forwarding by email, which is a common method of spreading avirus. Scan-based worms use a form of scanning (transmission of packets)from an infected host to a potential new host as a propagationtechnique. Based on the potential host's response to this scan (i.e.,does the potential host respond positively, or does the responseindicate that the potential host will not accept additional packets fromthe infected host), the infected host determines whether to spread theworm to the potential host. It is also possible that a worm can becarried in a single packet. In this situation, the infected hosttransmits the packet to another address without the need for a responsefrom the potential new host.

Typical approaches to preventing a worm outbreak involve worm detection,dissection and signature development. Signature development occurs oncethe worm has been identified, and a common pattern is found which can beused to identify the worm. This signature must then be propagatedthroughout the network, either to a firewall running security softwareor to each individually connected computer running a certain securityprogram. Once the security program receives the signature, the databaseof signatures the security program recognizes as malicious is updated,and the computer running the security program is protected against theidentified worm. But this approach does not address the case ofpreviously unidentified worms for which no signature has beenidentified.

Previously unidentified, fast spreading worms are a reality, as amplydemonstrated by worms such as the Slammer worm. The release andpropagation of the Slammer worm in 2003 was a revolutionary event in thestudy of computer worm propagation. It not only demonstrated in anunprecedented way the scale and disruption that is possible in the realworld with a relatively compact worm, it also showed the ineffectivenessof current techniques in detecting and countering these new fastspreading worms. More specifically, in the early phase of Slammerpropagation, it doubled in size every 8.5 seconds. It reached a maximumscan rate of 55 million addresses per second and was able to infect morethan 90 percent of vulnerable hosts within 10 minutes. In the end, eventhough Slammer carried no malicious payload and its main damage was innetwork resource (bandwidth and CPU) consumption, it served as a wake-upcall to network administrators and the computer security industry.

With these kinds of fast spreading worms, the traditional approach ofsignature-based detection is no longer sufficient. Worms can infect allvulnerable hosts well before a signature can be identified. Severalapproaches have been proposed utilizing non-signature based detectionmeans. One such approach detects a worm by monitoring the correlationbetween the incoming and outgoing packets at a network connection. Morespecifically, this approach studies the correlation of the payloads andpacket headers of the incoming and outgoing packets. However, thiscorrelation is not always reliable. Specifically, the technique was mosteffective against earlier worms that used a fixed destination port, or aportion of the network address specifying the port where the packet isreceived on the network connection, which made correlation studieseasier as a single destination port could be monitored across thenetwork. However, recent worm attacks randomize the destination port onthe network connection. This renders monitoring of destination portincoming and outgoing packets and studying the correlation between thetwo packet types less reliable for worm detection.

Another non-signature based approach involves detecting a worm byidentifying the exponential growth trend of scanning rates on aparticular network connection. However, this process requires studyingthe growth trend over a given interval of time. Different worms havedifferent propagation times. For example, a worm may inhabit a hostcomputer for an hour before propagating to a new host. If the wronginterval of time is chosen to study the growth trend, then relevantinformation relating to the growth trend is missed and a worm cannot beeffectively detected.

What is needed is a fast method to detect worms lacking knownsignatures. This method should be accurate and robust (i.e., it mustquickly and accurately identify different propagation characteristics ofdifferent worms), and work quickly enough so that a worm can be detectedat the inception of the worm spread, before its propagation hits itsexponential growth rate.

SUMMARY OF THE INVENTION

In accordance with the principles of the present invention, a new wormdetection technique is presented that utilizes a process to detect theoutbreak of a new worm without knowing the signature of the worm.Changes in the traffic pattern of unsolicited packets are detected, andany changes in traffic patterns are analyzed to determine if they areconsistent with changes in traffic associated with worm propagation.More specifically, traffic arrival patterns are monitored, primarily forunsolicited traffic, i.e., traffic coming into a computer networkconnection that was not first requested. Next, changes in the trafficpatterns are analyzed. During this analysis, certain patterns of growthrates relating to the unsolicited traffic that are indicative of thepresence of worm propagation are searched for, such as an exponentialgrowth rate of unsolicited traffic from numerous senders. When such apattern is detected, it is assumed that a worm is present so thatmeasures can be implemented to halt its progress.

BRIEF DESCRIPTION OF THE FIGURES

FIG. 1 is a diagram illustrating a basic computer network.

FIG. 2 is a flow chart illustrating a method in accordance with oneparticular embodiment of the invention.

FIG. 3 is a printout of a worm detection algorithm according to oneembodiment of the present invention.

FIG. 4 is a graph illustrating the effectiveness of the algorithm ofFIG. 3 in detecting the outbreak of the Slammer Worm.

DETAILED DESCRIPTION OF THE INVENTION

In accordance with the present invention, a non-signature based methodfor detecting Internet worms is presented. By monitoring and analyzingtraffic patterns at a network connection, a worm can be detected.

FIG. 1 illustrates a computer network 100. In this network, clients 102,104 and 106 connect to the server 115 through router 110. Once connectedto server 115, clients 102, 104 and 106 have access to Internet 120.Also connected to Internet 120 through server 125 is client 130. Router110 is equipped with a firewall running security software intended tomonitor network traffic, specifically the packets sent and receivedthrough the router, and identify and stop any malicious traffic. Clients102, 104, 106 and 130 are also running a desktop security program forscanning individual packets sent to the client.

Conventional security software identifies malicious packets based on thesignature of the packet, or a unique identifier for each packet.However, new worms are being designed which can infect millions of hostswell before a signature can be found. For example, client 130 isinfected with a previously unidentified worm such that client 130becomes a scanner, meaning the worm sends out a scan, which is a seriesof packets intended to poll a potential host computer. Client 130 scansclients 102, 104 and 106. Since the worm has no known signature, neitherthe firewall nor the desktop security program would recognize that thepackets are malicious. If clients 102, 104 and 106 respond positively tothe scan, client 130 passes the worm to clients 102, 104 and 106, andthey become new hosts.

FIG. 2 is a flow chart illustrating a worm detection method inaccordance with the principles of the present invention. In Step 200,the unsolicited traffic being received at a specific network location isidentified and isolated. Unsolicited traffic refers to network trafficthat was not requested by a receiving computer. For example, the trafficat router 10 from FIG. 1 is monitored. This unsolicited traffic isisolated from the solicited traffic, to produce a traffic trace basedonly on the unsolicited packets received at the router.

The system now proceeds to step 205 where any changes in traffic arrivalpatterns are determined. Though all changes in traffic arrival patternsmay not be due to worm propagation, worm propagation usually results intraffic arrival pattern changes with certain similar characteristics. Asdescribed in further detail below, the system uses cumulative summing,or CUSUM, a common statistical analysis tool used to detect changes indata sets, to study the arrival rates to determine any changes. CUSUMwill detect a trend of increasing unsolicited packet arrival rate.

The process continues to decision step 207, in which, if CUSUM hasdetected a change in the arrival rates, the process continues to step210. If CUSUM has failed to detect a change, flow returns to step 200.

If a change is detected in Step 205, the system proceeds to Step 210where the changes are analyzed to determine if the changes are relatedto worm propagation. Specifically, the changes are analyzed to determinewhether the changes have some exponential growth patterns in arrivalrates. A Maximum Likelihood Estimation (MLE) is used to produce anon-stationary Poisson process and estimate its rate. Poisson processesare commonly used in statistical analysis to examine the number of timesan event happens during a given time interval, where the probability forthe event occurring is constant with respect to time. An alarm willtrigger when the MLE yields a significant increase in propagation ratewith a high level of confidence.

Steps 205 and 210 are further explained herein below. In step 205, firstthe inter-arrival times of the unsolicited packets are determined. T_(n)denotes the arrival time of the n-th unsolicited packet in a t-sample (asample taken at most once every t seconds), and X_(n)=T_(n)−T_(n-1), isthe inter-arrival time where T₀=0. It is assumed that the inter-arrivaltimes {X_(n): 1≦n≦n_(w)} before the worm starts are independently andidentically distributed with mean μ, where T_(nw) represents the time ofthe first worm scan. After a worm arrives, the inter-arrival times{X_(n): n_(w)≦n≦∞} should have a decreasing mean that is less than μ.This shift in the distribution of inter-arrival times may be considereda change point in statistical terms and CUSUM is designed for detectingchanges from one distribution to another such as this change ininter-arrival times.

The CUSUM scheme can be applied as follows. Set S₀=0 and defineS _(n)=max(0,S _(n-1) +μ−X _(n) −pμ), n=1, 2, . . .where p is dependant on the expected drop in mean inter-arrival timesdue to a worm. Typically, pμ is set to about half the size of the dropin mean inter-arrival time that is crucial to detect a change in arrivalrates quickly. A change of inter-arrival time is signaled whenever S_(n)exceeds a certain threshold h. The theory behind CUSUM is that, if themean of X_(n) shifts from μ to something smaller than μ−pμ at samplen_(w) then S_(n) will tend to accumulate positive increments after n_(w)and thus eventually cross the threshold h and signal a change. Inpractice, μ is not known, as arrival times can vary due to networkconditions; but an estimate, such as an Exponentially Weighted MovingAverage (EWMA) can be used in its place. The EWMA is based on the medianof an initial sample of inter-arrival times.

Choosing the threshold parameter, h, requires trading off betweendetection delay (i.e., sensitivity) and the false detection rate. Smallvalues of h provide quick detection when changes are present but alsogive more false alarms. The threshold h can be calculated from theexpected time between false alarms, known as the Average Run Length(ARL) in quality control.

As seen in the flowchart, the CUSUM process used in step 205 is not usedto directly trigger a worm alarm, but only as a first stage toward wormdetection. As previously noted, if the CUSUM value Sn exceeds thresholdh, the process proceeds to step 210 in which the detected changes areanalyzed and a worm propagation model is estimated. However, if a newworm outbreak is in progress, it is probable that some time has elapsedbetween the outbreak and the CUSUM signal. When step 205 detects anunusual increase in unsolicited network traffic, there are threerelevant cases that this increase might indicate. Let T_(n0) denote themost recent time (prior to the current signal) when the CUSUMtransitioned from a value of 0 to a positive value. If a worm exists,its arrival is most likely earlier than T_(n0) (hereinafter Case 1).However, it is possible for a worm to arrive between T_(n0) and theCUSUM signaling time (hereinafter Case 2). This happens rarely and thelag between worm infection and the CUSUM signal transitioning from 0 toa positive value will most likely be small, e.g., on the order ofsecond. Of course, it is also possible that no worm exists (hereinafterCase 3), which statistically is the most likely case. Let us first focuson the statistical estimation of the worm propagation model based onCase 1. It will be shown below that this also includes Case 3 and alsoserves as a good approximation for Case 2.

Scanner arrivals in a t-sample before a worm outbreak are well-modeledas a Poisson process with rate b(t) that changes slowly with time.Scanners that arise from a fresh worm outbreak can be modeled as anon-stationary Poisson process with rate:λ(t)=ae ^(r(t−tw)) I(t≧t _(w))where t_(w) is the time when the first worm scan arrives; a is theexpected number of worm scanner arrivals in the first second; r is theexponential propagation rate; and I(x) is an indicator function havingvalue 1 when x is true and 0 otherwise. It is assumed that anybackground scanners (non-malicious scanners) and the ones caused by anew worm are independent. The superposition of background and wormscanners is thus modeled as a non-stationary Poisson process with rate:λ(t)=b(t)+ae ^(r(t−tw)) I(t≧t _(w)).

Because the background traffic is approximately stationary, its rateb(t) can be estimated easily using local averaging. Propagationcharacteristics are described by the parameters a and r that depend onthe efficiency of the worm and the size of the network being monitored.Although a is not identifiable (i.e., cannot be estimated statistically)when t_(w) is unknown, the exponential rate r is identifiable. A wormalarm is triggered when the data indicates with high confidence that ris significantly higher than a small tolerable rate r₀.

For simplicity, assume that the worm starts at 0 (i.e., t_(w)=0),unsolicited scanners arrive at times T₁, T₂, . . . according to aPoisson process with rate λ(t)=b+ae^(rt), t≧0, and the correspondingCUSUM sequence S1, S2, . . . remains below the threshold h until somearrival T_(n0) (n0≧1) when the CUSUM exceeds h and therefore causes flowto proceed to step 210 in which the change is to be further analyzed.

With respect to step 210, let us define T _(j)=T_(n0+j)−T_(n0) for j=1,2, . . . , n, where T _(n) is the current arrival relative to thesignaling time T_(n0). Note that we can only observe T ₁, . . . , T _(n)and not the complete stream of arrivals T₁, . . . T₀, T_(n0+1), . . . ,T_(n0+n) because the worm outbreak time t_(w)=0 is not generally known.Thus, any estimators of a and r must be based on ( T ₁, . . . , T _(n)),the distribution depends on the unknowns n₀ and T_(n0). The followingtheorem and its corollary demonstrate that the r can be estimated fromthe T _(j), but a cannot.

Theorem 1. Let T₁, T₂, . . . denote consecutive arrival times from aPoisson process with positive rate λ(t)=b+ae^(rt) beginning at t=0.Define T _(j)=T_(n0+j)−T_(n0) for j=1, 2, . . . and for some n₀≧1. Then,given T_(n0)=t₀, the relative times T ₁, T ₂, . . . are arrivals from aPoisson process with rate λ(t)=b+ ae^(rt), t≧0, where a=aeˆ(rt₀).

Corollary 1. Under the conditions of Theorem 1 and assuming that a>0,the parameters a, b and r are identified by the data ( T 1, . . . , Tn)for n≧3 but the parameter a is not identified unless to is known.

The exception a=0 corresponds to no worm and in this case thepropagation rate r has no meaning. Fortunately, for the purpose of wormdetection, r is the most interesting parameter and it can be estimatedby maximum likelihood inference as discussed next.

Let Λ(t)=∫₀ ^(r) λ(s)ds. Then the normalized arrival times Λ( T ₁), Λ( T₂), . . . follow a stationary Poisson process with rate 1. Let ln(r,a)=log p( T ₁, . . . , T _(n)|T_(n0)=t₀) be the log-likelihood functionfor the T _(j)'s conditional on T_(n0). By the density transformationformula $\begin{matrix}{{l_{n}\left( {r,\overset{\_}{a}} \right)} = {{\sum\limits_{j = 1}^{n}{\log\quad{\overset{\_}{\lambda}\left( {\overset{\_}{T}}_{j} \right)}}} - {\overset{\_}{\Lambda}\left( {\overset{\_}{T}}_{n} \right)}}} \\{= {{\sum\limits_{j = 1}^{n}{\log\left( {b + {\overset{\_}{a}\quad{\mathbb{e}}^{r\quad{\overset{\_}{T}}_{j}}}} \right)}} - {\left\{ {{b\quad{\overset{\_}{T}}_{n}} + {\frac{\overset{\_}{a}}{r}\left( {{\mathbb{e}}^{r\quad{\overset{\_}{T}}_{n}} - 1} \right)}} \right\}.}}}\end{matrix}$the maximum likelihood estimates (MLE) are defined as({circumflex over (r)}, â )=arg max l _(n)(r, a ).Let θ=(r, a)^(T) and {circumflex over (θ)}=({circumflex over(r)},{circumflex over ( a)})^(T) Denote ln(θ)=ln(r, a). Then the MLE{circumflex over (θ)} has positive properties as summarized in Theorem 2below.

Theorem 2. Under the conditions of Theorem 1, if θ is bounded, then asn→∞,{circumflex over (θ)}→θ,in probability and√{square root over (n)}({circumflex over (θ)}−θ)→N(0,I(θ)⁻¹),in distribution where I(θ) is the information matrix,${{I(\theta)} = {{limit}_{n->\infty} - {E\left\lbrack {\frac{1}{n}\frac{\partial^{2}}{{\partial\theta}{\partial\theta^{T}}}{l_{n}(\theta)}} \right\rbrack}}},$and can be estimated consistently by$\hat{I} = {{- \frac{1}{n}}\frac{\partial^{2}}{{\partial\theta}\quad{\partial\theta^{T}}}{{l_{n}\left( \hat{\theta} \right)}.}}$

The MLE {circumflex over (r)} and its estimated asymptotic variance areused repeatedly in the second stage to test whether r is significantlypositive. In particular, r>r0 is tested against r≦r0, where r0 (say0.0001) is the maximal rate that can be ignored. Let se({circumflex over(r)}) be the asymptotic standard error of {circumflex over (r)}, thatis,se({circumflex over (r)})=√{square root over ([Î ⁻¹]₁₁ /n)}.Since Z_(n)≡({circumflex over (r)}−r₀)/se({circumflex over (r)}) isasymptotically normally distributed with mean 0 and variance 1 under thenull hypothesis r=r₀, the second stage declares a worm outbreak whenZ_(n)>q_(c), where q_(c) is a threshold such as the 99.99 percentile ofthe standard Normal distribution. For example q_(c)=3.8 is the 99.99%quantile of the Normal distribution.

In most CUSUM monitoring applications, the CUSUM statistic is reset tozero after a signal is triggered. In the present algorithm, however, alarge CUSUM is required for the step 210 of FIG. 2 to operate. Hence,the CUSUM is not reset immediately upon crossing the threshold h, ratherthe reset occurs only after a substantial downward trend is seenfollowing the trigger. The algorithm identifies a downtrend if thecurrent CUSUM value is, for example, less than 80% of the maximum valuerecorded since the previous reset.

Although scanner arrivals, for the most part, resemble a locallystationary Poisson process, outliers do occasionally occur in arrivaltraces. These are cases in which the inter-arrival time between scannersis abnormally large for one reason or another. These outliers nevertrigger a false alarm because the MLE does not yield a large r in step210. However, the outliers can easily lead to a CUSUM signal and thusneedlessly trigger the MLE computations.

To reduce the impact of outliers in creating such false alarms, thealgorithm may implement the following random tail-draw technique. Letμ_(n-1) be the most recent exponentially weighted moving average (EWMA)estimate of E(X_(n)). If X_(n) lies outside of the 0.01% and 99.99%percentiles of the exponential(μ_(n-1)) distribution, then it isreplaced with a random draw {tilde over (X)}_(n) from the correspondingdistribution for the purpose of calculating S_(n).

FIG. 3 shows an exemplary worm detection algorithm in accordance withprinciples of the present invention. This algorithm corresponds to steps205-210 in FIG. 2. Line by line, the algorithm proceeds as follows.Lines 1 and 2 initialize the CUSUM and an EWMA estimate of the meaninter-arrival time. Starting the EWMA based on the median of an initialsample provides robustness against outliers. Dividing the median bylog(2) produces an estimate of the mean. For each new unsolicitedscanner packet, Line 4 computes the current CUSUM and Line 5 the currentEWMA. No further action is required if the CUSUM is zero. The EWMAparameter w determines the depth of the memory and the relative weightbetween the current and previous data. Although there is no general rulefor the optimal choice of w, in our experiments, performance of thealgorithm is similar for various values of w between 10⁻⁴ to 10⁻⁷.Whenever the CUSUM becomes positive, lines 7 and 8 initialize indicesused to record the transition and track the local maximum: j is used totrack the number of consecutive positive CUSUM's and S_(max) is thelocal maximum. If the CUSUM remains positive on subsequent steps, thenline 10 updates j and S_(max) and line 11 resets the CUSUM to zero if adowntrend is recognized with respect to the local maximum. Line 12triggers estimation of the propagation rate in lines 13 and 14 if theCUSUM has become large. Lines 15 through 17 test whether the datasuggest a significantly large propagation rate with high confidence. Ifso, the alarm is raised until such time as the CUSUM is reset to zeroagain.

A trace of the Slammer Worm outbreak was used to test the algorithm.FIG. 4 plots the number of scanners arriving at the firewall everysecond observed 1,000 seconds surrounding the outbreak of Slammer. Thefirst dashed vertical line 405 marks the time of arrival of the firstSlammer scan and the second dashed vertical line 410 marks when the wormdetector of the present invention signals a worm outbreak. The averagenumber of unsolicited packets is about 2.5 per second before the firstworm scan arrives at time 364 seconds. The alarm is raised at just 16seconds after the initial Slammer scan and at the time the scanners ratehas increased to about 6.5 per second. Scans from Slammer peak at about600 seconds when almost all vulnerable hosts world-wide have becomeinfected. The algorithm was able to give a warning in as little as 6.7%of the time it took for Slammer to infect all hosts. In the trace, only60 hosts had been affected before Slammer would have been detected,whereas a total of 72,516 were actually infected in total when the wormwas left to propagate naturally.

FIG. 4 is shown only as an example of the functionality of the wormdetection algorithm. It illustrates one embodiment of the presentinvention and is not intended to limit the present invention in anymatter.

It should be clear to persons familiar with the related arts that theprocess, procedures and/or steps of the invention described herein canbe performed by a programmed computing device running software designedto cause the computing device to perform the processes, proceduresand/or steps described herein. These processes, procedures and/or stepsalso could be performed by other forms of circuitry including, but notlimited to, application-specific integrated circuits, logic circuits,and state machines.

Having thus described a particular embodiment of the invention, variousalterations, modifications, and improvements will readily occur to thoseskilled in the art. Such alterations, modifications, and improvements asare made obvious by this disclosure are intended to be part of thisdescription though not expressly stated herein, and are intended to bewithin the spirit and scope of the invention. Accordingly, the foregoingdescription is by way of example only, and not limiting. The inventionis limited only as defined in the following claims and equivalentsthereto.

1. A method for detecting the propagation of a worm in a network, themethod comprising the steps of: (1) identifying and isolatingunsolicited traffic from solicited traffic; and (2) analyzing changes inunsolicited traffic patterns to identify a worm.
 2. The method of claim1, wherein step (2) comprises the steps of: detecting a change inarrival rates of said unsolicited traffic; and determining whether saiddetected change is due to worm propagation.
 3. The method of claim 2,wherein said step of detecting a change in arrival rates of saidunsolicited traffic comprises using a cumulative summing (CUSUM)statistical analysis for detecting a change in arrival rates of saidunsolicited traffic.
 4. The method of claim 3, wherein said step ofdetecting a change in arrival rates of said unsolicited traffic furthercomprises issuing an indication of a change in said arrival rates whenCUSUM detects a change in said arrival rates that exceeds apredetermined threshold.
 5. The method of claim 4, wherein said step ofdetermining whether said detected change is due to worm propagationcomprises using a non-stationary Poisson process to analyze saiddetected changes in arrival rates to determine if said changes are dueto worm propagation.
 6. The method of claim 5, wherein said step ofdetermining whether said detected change is due to worm propagation isperformed responsive to said issuance of said indication.
 7. The methodof claim 6, wherein said predetermined threshold is selected to providea small detection delay before detecting a change in arrival rates.
 8. Acomputer program product embodied on a computer readable medium fordetecting the propagation of a worm in a network, the productcomprising: first computer executable instructions for identifying andisolating unsolicited traffic from solicited traffic; and secondcomputer executable instructions for analyzing changes in unsolicitedtraffic patterns to identify a worm.
 9. The product of claim 8, whereinsaid second computer executable instructions comprises: instructions fordetecting a change in arrival rates of said unsolicited traffic; andinstructions for determining whether said detected change is due to wormpropagation.
 10. The product of claim 9, wherein, in said secondcomputer executable instructions, a cumulative summing (CUSUM)statistical analysis is used for detecting a change in arrival rates ofsaid unsolicited traffic.
 11. The product of claim 10, wherein saidsecond computer executable instructions further comprise instructionsfor issuing an indication of a change in said arrival rates when CUSUMdetects a change in said arrival rates that exceeds a predeterminedthreshold.
 12. The product of claim 11, wherein, in said second computerexecutable instructions, a non-stationary Poisson process is used toanalyze said detected changes in arrival rates to determine if saidchanges are due to worm propagation.
 13. The product of claim 12,wherein said instructions for determining whether said detected changeis due to worm propagation are performed responsive to said issuance ofsaid indication of change in said arrival rates.
 14. The product ofclaim 13, wherein said predetermined threshold is chosen such that itprovides a small detection delay before detecting a change in arrivalrate, said small detection delay resulting in fewer false detections.15. A method for detecting the propagation of a worm in a network, themethod comprising the steps of: (1) identifying and isolatingunsolicited traffic from solicited traffic; (2) detecting a change inarrival rates of said unsolicited traffic, wherein said detectingcomprises using a cumulative summing (CUSUM) statistical analysis fordetecting a change in arrival rates of said unsolicited traffic andissuing an indication of a change in said arrival rates when CUSUMdetects a change in said arrival rates that exceeds a predeterminedthreshold; and (3) determining whether said detected change is due toworm propagation, wherein said determining comprises using anon-stationary Poisson process to analyze said detected changes inarrival rates to determine if said changes are due to worm propagation.16. The method of claim 15, wherein said determining is performedresponsive to said issuance of said indication of a change in saidarrival rates.
 17. The method of claim 16, wherein said predeterminedthreshold is selected to provide a small detection delay beforedetecting a change in arrival rates.